04:38:54 <maybefbi> sarang: From page 51 of Zero to Monero 2.0 https://imgur.com/ICl3Eyv so the private key of the commitment to zero is used in the signature. But the key image of the commitment to zero is not used when linking two sets of key images. Is this correct?
05:04:58 <maybefbi> The footnote 8 on page 51 says https://imgur.com/4H0d54j so the signature omits the commitment to zero
05:13:39 <maybefbi> omitting them only during linking two signatures might be more elegant no?
08:03:25 <sarang> It isn't needed in the signature unless you want to link
13:19:52 <UkoeHB_> maybefbi: it would be quite a bit more expensive for verification to also have key images for commitments to zero
13:20:33 <maybefbi> hmm true
13:29:28 <maybefbi> if i rebuilt monero i will include it in the signature, because then it proves alice knows the z, the private key of the commitment to zero to the onlookers who dont know any view keys or such. even if i include the key image of the commitment to zero in the linking it wont cause problem because transaction public key rK is unique because r is chosen from a CPRNG. it is unlikely it will create a duplicate r and cause unwanted linkage of k
13:29:31 <maybefbi> ey images
13:33:48 <UkoeHB_> There is no need, even though the key image part is excluded the normal key part IS included, so you always sign and prove knowledge of z
13:34:47 <UkoeHB_> The challenge is like H(..., Ko, Ko key image, commitment to zero)
13:37:46 <UkoeHB_> The whole innovation with CLSAG is it lets you squish the signature into a smaller faster version because the commitment to zero doesn’t require a key image/linking
13:38:08 <maybefbi> yeah i agree CLSAG is definitely better.
13:38:20 <maybefbi> it is as lean as it can be with schemes like this
13:38:31 <UkoeHB_> more or less yes
13:38:51 <maybefbi> only that primary keypair use can be linked
13:39:58 <maybefbi> to be frank im trying to make a DLSAG version of monero after i understand monero. i already have an MDLSAG. But CDLSAG is hard. i cant get it to work
13:42:17 <maybefbi> i still havent gotten around to doing commitments inside an MDLSAG. perhaps i will need two commitments and two pseudo commitments
13:43:31 <UkoeHB_> isn’t there some kind of flaw with DLSAG?
13:43:50 <maybefbi> yes it needs self sign at getting money
13:43:58 <maybefbi> *after getting money
13:44:15 <maybefbi> not aware of any other flaws
15:15:07 <sarang> It is true that it should be possible to "CLSAGify" DLSAG, as was mentioned in the original preprint
15:15:23 <sarang> We just never bothered to work it out with the security proofs yet, because the self-spend issue was so onerous a requirement
15:16:07 <sarang> But yeah, the whole CLSAG idea is just that you can squish the components together with some careful weighting inside the hash challenges... and you pay for it by carrying around key images for each component, even if you don't use them for linking
15:16:25 <sarang> At that point, the "extra" key image(s) is/are only to make the algebra work
15:18:01 <sarang> (there are applications to something like 3-CLSAG, like hidden timelocks)